It's worth mentioning that GitHub only allows us to act on your behalf in repos you install the app in. But when you install the app you'll see it's only requesting read permissions to metadata => it can't take any actions, either by itself or on your behalf.
So tbh I think that bit of UI is a little deceptive because in practice we can't actually do anything with just an authorization but no installation. Relevant docs: https://docs.github.com/en/apps/using-github-apps/authorizin....
Still very useful feedback though!